Unpatched SQLi in dameng100 muucmf 1.9.5.20260309: Remote Exploit Available
The National Vulnerability Database has disclosed CVE-2026-6562, a high-severity SQL injection vulnerability in dameng100 muucmf version 1.9.5.20260309. This flaw resides in the getListByPage function within the /index/Search/index.html file, allowing remote attackers to manipulate the keyword argument and execute arbitrary SQL queries.
This isn’t a theoretical issue; an exploit has been publicly released, making it a clear and present danger for organizations running the affected software. The vendor, dameng100, was reportedly contacted prior to disclosure but has not responded, leaving users exposed with no official patch in sight. The CVSS score of 7.3 (High) reflects the severity: it’s remotely exploitable, requires no authentication, and can lead to significant impact on confidentiality, integrity, and availability.
Defenders must recognize the attacker’s calculus here: publicly available exploits for unpatched vulnerabilities are low-hanging fruit. Attackers will scan for these systems, knowing they can likely achieve immediate impact. The lack of vendor response means organizations cannot wait for a patch; immediate mitigation or removal of the affected component is critical.
What This Means For You
- If your organization uses dameng100 muucmf 1.9.5.20260309, particularly if it's internet-facing, you are directly exposed to a known, remotely exploitable SQL injection. Immediately identify all instances of this software. Given the lack of vendor response and public exploit, prioritize taking these systems offline or implementing stringent network-level access controls to prevent remote exploitation. Conduct a thorough audit for any signs of compromise if these systems have been exposed.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Sigma YAML is free — copy below.
CVE-2026-6562 - SQL Injection in muucmf Search Index
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6562 | SQLi | dameng100 muucmf version 1.9.5.20260309 |
| CVE-2026-6562 | SQLi | Vulnerable function: getListByPage in /index/Search/index.html |
| CVE-2026-6562 | SQLi | Vulnerable argument: keyword |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 19, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-6712 — Cross-Site Scripting (XSS)
CVE-2026-6712 — The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6...
CVE-2026-6711 — Cross-Site Scripting (XSS)
CVE-2026-6711 — The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including,...
CVE-2026-6703 — The Responsive Blocks – Page Builder for Blocks & Patterns
CVE-2026-6703 — The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to,...